[vpn-help] Shrewsoft and Watchguard

Kevin VPN kvpn at live.com
Tue May 22 21:22:11 CDT 2012 

On 05/04/2012 04:21 PM, Giuseppe Gammariello wrote:
> Hello all,
>
> I am using Shrewsoft 2.1.7 to connect to a very old and outdated
> Watchguard Firewall; running WatchGuard SOHO 6 TC.  I am able to
> connect to the WG successfully and from what I can tell, successfully
> establish phase 1 and phase 2 authentications.  All works fine for
> about 10-15 minutes, then I can no longer pass traffic.  Shrewsoft
> still says the tunnel is enabled, but no pings are returned.  I have
> the WatchGuard VPN software working on a Windows XP machine without
> issue and that stays connected all the time, however I can't get
> WatchGuard and Shrewsoft to work together.  I have attached some
> logs.  I have changed the external ip to 2.2.2.2 in the log files.
> The local site has a 192.168.1.0 network and the remote site has a
> 192.168.7.0 network.
>
> I did a running ping and pings stop getting replies at the
> 22:37:39.482 mark in the log files.
>
> Any help would be greatly appreciated.
>

Hi Giuseppe,

I'm not sure if this is still a problem (you sent this message weeks
ago), but I think your problem may be related to the phase1 "life 
kbytes" as shown below.

 From my understanding, after either the "life seconds" or "life kbytes" 
limit is reached, the phase1 security association needs to be 
re-negotiated.  However, I've also noticed that is possible for a tunnel 
to be established between a gateway and a client even if the "life 
seconds" or "life kbytes" do not match, and unfortunately if they do not 
match, the phase1 re-negotiation usually fails because only one end of 
the connection is ready to negotiate (the other thinks the current 
security association can still be used).

Try either setting the Shrew configuration Phase 1 "Key Life Data limit" 
to 0 or check with your VPN gateway administrator to see what the 
correct values for the Phase1 lifetime (Key Life Time limit) and Kbytes 
(Key Life Data limit) should be.


iked.log
...
12/05/03 22:23:27 << : security association payload
12/05/03 22:23:27 << : - propsal #1 payload
12/05/03 22:23:27 << : -- transform #1 payload
12/05/03 22:23:27 ii : matched isakmp proposal #1 transform #1
12/05/03 22:23:27 ii : - transform    = ike
12/05/03 22:23:27 ii : - cipher type  = des
12/05/03 22:23:27 ii : - key length   = default
12/05/03 22:23:27 ii : - hash type    = sha1
12/05/03 22:23:27 ii : - dh group     = modp-768
12/05/03 22:23:27 ii : - auth type    = psk
12/05/03 22:23:27 ii : - life seconds = 86400
12/05/03 22:23:27 ii : - life kbytes  = 1000
...

More information about the vpn-help mailing list